Pixnapping: New Class Attack including 2FA exploit

[fullfitlarry]

A group or researchers has recently collaborated and going to released this discovery and they call it Pixnapping.

Pixnapping is a new class of attacks that allows a malicious Android app to stealthily leak information displayed by other Android apps or arbitrary websites. Pixnapping exploits Android APIs and a hardware side channel that affects nearly all modern Android devices. We have demonstrated Pixnapping attacks on Google and Samsung phones and end-to-end recovery of sensitive data from websites including Gmail and Google Accounts and apps including Signal, Google Authenticator, Venmo, and Google Maps. Notably, our attack against Google Authenticator allows any malicious app to steal 2FA codes in under 30 seconds while hiding the attack from the user.

And from the word itself, it's a pixel-stealing framework. And it's target are those Android phones (certain version), that it can bypasses and take advantage of Android's API to steal all information from us.



There is a video demonstration so I urge everyone to watch it. And they have answered some questions too in the link provided.

We all know that all of us could have been using 2FA as another extra layer of protection. We uses it from everything related to crypto, including in exchanges and even crypto based platforms. But now this researches have should that it could be exploited by cyber threat.

https://www.pixnapping.com/

[LoyceV]

Notably, our attack against Google Authenticator allows any malicious app to steal 2FA codes in under 30 seconds while hiding the attack from the user.

There's a more fundamental problem: 2FA isn't supposed to be on the same device as what you're doing. If you trade crypto or use online banking on the same phone that creates your 2FA codes, your phone itself becomes a single point of failure.

[Charles-Tim]

There's a more fundamental problem: 2FA isn't supposed to be on the same device as what you're doing. If you trade crypto or use online banking on the same phone that creates your 2FA codes, your phone itself becomes a single point of failure.

All the 2FA that I have used before work well on offline devices. It possible one can spare an old phone for it, it will work on it. The 2FA apps are also very easy to load and they support lower operating system versions. You can get a very cheap Android phone for it that will require very low amount of money.

[TryNinja]

Another big issue is that this attack can steal data from Gmail (emails) and Google Accounts.

What information does the attack steal?
Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping. Chat messages, 2FA codes, email messages, etc. are all vulnerable since they are visible.

I wouldn't use Google Authenticator anyways. There are many open source options that can be locked with a password before the app loads and the attacker gets to steal the data from your screen.

[DYING_S0UL]

There's a more fundamental problem: 2FA isn't supposed to be on the same device as what you're doing. If you trade crypto or use online banking on the same phone that creates your 2FA codes, your phone itself becomes a single point of failure.

All the 2FA that I have used before work well on offline devices. It possible one can spare an old phone for it, it will work on it. The 2FA apps are also very easy to load and they support lower operating system versions. You can get a very cheap Android phone for it that will require very low amount of money.

I guess i'm on the safe side. I have two devices, the older one (partially broken) I rarely use have auth set up and the new one with no auth or anything at all!

I wouldn't use Google Authenticator anyways. There are many open source options that can be locked with a password before the app loads and the attacker gets to steal the data from your screen.

What other options do you prefer then?
Years ago I used to use twilio aka authy before their data leak happened. After that I shifted to google Authenticator, and the security on that seemed shit, can't even lock the app, and now using Aegis.
Among all the ones, I can say aegis has been my most favourite, open source, slick design and lots of in build useful features!

[TryNinja]

I wouldn't use Google Authenticator anyways. There are many open source options that can be locked with a password before the app loads and the attacker gets to steal the data from your screen.

What other options do you prefer then?
Years ago I used to use twilio aka authy before their data leak happened. After that I shifted to google Authenticator, and the security on that seemed shit, can't even lock the app, and now using Aegis.
Among all the ones, I can say aegis has been my most favourite, open source, slick design and lots of in build useful features!

Authy is even worse, besides the leak you can't backup your codes or export them.

On Android I'm using Bitwarden Authenticator (not connected to my bitwarden account, so it's not centered all in one place).
On iOS I use Raivo: https://apps.apple.com/app/raivo-freeotp-authenticator/id1459042137

[DYING_S0UL]

Authy is even worse, besides the leak you can't backup your codes or export them.

On Android I'm using Bitwarden Authenticator (not connected to my bitwarden account, so it's not centered all in one place).
On iOS I use Raivo: https://apps.apple.com/app/raivo-freeotp-authenticator/id1459042137

And the worst part was, when I changed my device I had my codes locked in! They were encrypted with some master password which I forgot. Even though I had the mail and number associated with the account I couldn't reset it back then. I don't remember that incident clearly but the conclusion was I couldn't recover them. Losing master password = losing the codes permanently.

Luckily, I had saved specific backup codes for my mail, social sites and other account written elsewhere! Without them I would lose access forever.

Is the backup system on Bitwarden local based or cloud?

[TryNinja]

And the worst part was, when I changed my device I had my codes locked in! They were encrypted with some master password which I forgot. Even though I had the mail and number associated with the account I couldn't reset it back then. I don't remember that incident clearly but the conclusion was I couldn't recover them. Losing master password = losing the codes permanently.

Luckily, I had saved specific backup codes for my mail, social sites and other account written elsewhere! Without them I would lose access forever.

Is the backup system on Bitwarden local based or cloud?

You have the choice to sync your 2fa codes with your cloud bitwarden account (for passwords), or just import/export and leave it entirely offline (locally). I leave it offline and just export the backups, so I have two points of failure: one for my passwords and one for my 2fa.